Apple’s been hit by a weak link in its own supply chain: employees of a distributor have been detained under suspicion of selling iPhone users’ personal data on underground forums.

According to the Hong Kong Free Press, Chinese police have detained 22 people, 20 of whom were employees of a company described in a police statement as a “domestic direct sales company and outsourcing company”.

The detentions come after a months-long investigation across four Chinese provinces: Guangdong, Jiangsu, Zhejiang, and Fujian. The police statement said that the suspects were taken into custody and police seized what they called the gang’s “criminal tools” and dismantled their online network.

The alleged scam involved draining users’ names, phone numbers, Apple IDs and other data from an internal company system, then selling the personal data for what amounted to more than 50 million yuan (USD $7.35 million, £5.7 million).

The cost allegedly charged for the stolen data, sold piecemeal, was between 10 yuan (USD $1.47, £1.15) and 180 yuan (USD $26.48, £20.77).

The Hong Kong Free Press noted that the sale of personal information is “common” in China. Common, but increasingly dangerous: earlier in the month, the country enacted a new law that mandates strict data surveillance and storage for firms working in the country. According to Reuters, the official Xinhua news agency warned that “Those who violate the provisions and infringe on personal information will face hefty fines.”

Engadget reached out to Apple for more information, including how many customers were affected; whether they were just in China or also hailed from other countries; and what the fate of the internal, breached database might be. The publication hadn’t yet heard back as of Saturday.

But Apple sure hasn’t cornered the market on feisty employees, nor on insider threats like this recent crop of distributor employee arrests.

Pity healthcare companies, for example. According to a report from Protenus, a Big Data analytics firm, insiders committed 59.2% of patient health record privacy violations in January 2017, with much of the culpability falling on insiders who were either crooks or plain old clueless.

The “clueless” piece of the puzzle was underscored by another report, from IBM Managed Security Services (MSS), that found insiders to be responsible for 68% of all network attacks targeting healthcare data in 2016. Almost two-thirds of those attacks were the result of people using misconfigured servers and falling victim to phishing scams.

Take the ex-IT director at Columbia Sportswear, for one: the company recently sued him for allegedly setting himself up with a fake email account the day before he left and then using it to hack the company for more than two years.

Then too, there was Yovan Garcia, who was fined $318,661.70 after a California court found him guilty of padding his work hours, hacking the company’s servers to steal data on customers, demolishing the servers in the process, defacing the website, ripping off the proprietary software, and setting up a rival business running on that ripped-off program.

OUCH.

Employees on a rampage are one thing. But what’s a company supposed to do about a link in the supply chain that starts spurting data like a punctured artery? You can have the strictest security in the world, but it will all melt away if you have a weak link in the chain. As we’ve noted in the past, every company we do business with, share data with, outsource operations to, sell things to or buy things from forms a part of our own security chain. A breach at any point in the chain can have an impact on the privacy and integrity of data.

One would hope that Apple, or any company, that handles our personal data is vetting vendors who process or store it, asking tough questions regarding their controls and how they’re implemented.

An averted gaze or foot-shuffling can often tell you what you want to know. Hopefully, a few minutes of vetting can also keep your company name from popping up in headlines like the ones that Apple’s picking up from this incident, stuck like burrs to its hide, regardless of the fact that the culprits weren’t actually Apple employees.

Post navigation

About the author

Lisa has been writing about technology, careers, science and health since 1995. She rose to the lofty heights of Executive Editor for eWEEK, popped out with the 2008 crash and joined the freelancer economy. Alongside Naked Security Lisa has written for CIO Mag, ComputerWorld, PC Mag, IT Expert Voice, Software Quality Connection, Time, and the US and British editions of HP's Input/Output.